If you’ve worked with Salesforce for a while, you’ve probably come across the term “SOAP API.” For years, it’s been the workhorse behind countless integrations, quietly connecting systems, syncing data, and powering automation.
But that’s about to change. Salesforce has begun phasing out SOAP logins, and by mid-2027 that method will be gone. For many organisations, that’s a ticking clock that’s easy to ignore until it’s almost too late.
So what does this really mean, and what should you be doing now to prepare?
We’ve drawn on expert insights from Doug Merrett and Platinum7, specialists in Salesforce security and integration modernisation to help you get ahead of these changes.
Why SOAP is on the way out
SOAP, or Simple Object Access Protocol, is an older way of integrating with Salesforce. It’s been reliable and flexible, but it has one big weakness. Control.
To connect, SOAP integrations use a static username, password, and sometimes a security token. Once those credentials are stored in another system, they’re hard to manage and even harder to trace.
If that integration user happens to be a system administrator, and too often it is, the external system effectively has full access to your org. It can update, delete, or extract any data, deactivate users, even change configuration. And if those credentials are ever compromised, Salesforce won’t flag it as a breach, because technically it’s an authorised login.
That’s why Salesforce is moving away from this model.
The new world of integration focuses on OAuth-based connected apps and external client apps. These allow far more granular control. You can specify who can use the integration, limit permissions, restrict IPs, and revoke access instantly if needed.
What’s changing and when
The change is already underway. As of the Winter ’25 release (API version 65), Salesforce no longer supports SOAP logins for new API versions.
If your integration still uses versions 31 through 64, it’ll keep working for now. But from the Winter ’27 release (expected mid-2027), SOAP logins will stop altogether.
That might sound like plenty of time, but it really isn’t. Many organisations have dozens of integrations, and not all are easy to find or replace. The key is to start identifying them early.
How to know if you’re using SOAP
If you’re not sure, you’re not alone. SOAP often hides in the background, powering older or “set and forget” connections. A few common culprits include:
- Legacy middleware or data sync tools
- Old single sign-on connectors
- Automated scripts built years ago
- Microsoft Entra (formerly Azure AD) user provisioning
What you can do now
- Map your integrations
Start by listing every system that connects to Salesforce. Check whether they use OAuth or username-password authentication. - Create dedicated integration users
If any integrations still use admin accounts, change that immediately. Give each integration its own user with only the permissions it truly needs. - Use connected apps or external client apps
These modern frameworks let you control access through permission sets, IP restrictions, and login hours. They also make auditing and revoking access easy. - Work with vendors early
If a third-party product still uses SOAP, reach out now. Vendors need time to update their connectors, and you don’t want to be stuck mid-project in 2027. - Document everything
As you modernise, record your new connection methods, credentials, and responsible owners. Future you will thank you.
Why this is good news
While SOAP’s retirement might feel inconvenient, it’s ultimately a huge step forward for security and transparency. OAuth-based integrations are easier to monitor, restrict, and audit. They support event monitoring and align with Salesforce’s broader shift toward secure, identity-aware access.
The change also nudges organisations to review long-standing integrations that may no longer be necessary. Many security incidents happen not because of active misuse, but because old systems were simply forgotten.
Think of this as an opportunity
This isn’t just an API update. It’s a chance to clean house. Review what’s connected, streamline what’s essential, and modernise the rest. The integrations you rebuild now will be more secure, more visible, and easier to manage.
That means fewer late-night calls when something stops working or someone spots a data anomaly you can’t trace.
The takeaway
SOAP served us well, but the future is OAuth. The sooner you move, the smoother it’ll be.
Start your audit now, talk to your vendors, and plan your migration over the next year or two. You don’t want to be racing the clock in 2027.
Modernising your integrations isn’t just an IT task. It’s how you unlock faster campaigns, cleaner data, and more reliable customer insights.
At DHM, we help marketing and sales teams simplify complex tech stacks so Salesforce can do what it does best. Connect data, people, and decisions with confidence. If you’re ready to modernise your Salesforce environment, let’s talk about how to make it work smarter for your teams.
